OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: binaryanomaly on July 22, 2021, 08:20:31 pm

Title: Blocking malicious IPs with OPNsense and blacklists
Post by: binaryanomaly on July 22, 2021, 08:20:31 pm

Cross posting this here for better discoverability:

Blocking malicious IPs with OPNsense using spamhaus droplists and dshield_30_days is actually quite easy.

How it's done:
➡️ https://www.allthingstech.ch/blocking-malicious-ips-with-opnsense/ (https://www.allthingstech.ch/blocking-malicious-ips-with-opnsense/)

Title: Re: Blocking malicious IPs with OPNsense and blacklists
Post by: hushcoden on July 30, 2021, 11:54:13 pm

Thanks, trying to understand why the alias of the blocklists is in 'destination' and in 'source' or in both ?

Title: Re: Blocking malicious IPs with OPNsense and blacklists
Post by: binaryanomaly on July 31, 2021, 08:18:18 am

Hi,

In the proposed configuration it's currently destination only.
Having it in source and destination would require to set up two separate rules.

For most simple configurations destination should be good enough to catch potential outgoing traffic if you block incoming traffic from WAN already - which probably most simple setups do.

If you have a more advanced set up where you allow incoming traffic from WAN, i.e. for a VPN or other services you may want to have an additional rule to block incoming traffic by source.

That would be my current understanding of how it works.
Does it make sense or have I overlooked something?

Title: Re: Blocking malicious IPs with OPNsense and blacklists
Post by: hushcoden on August 12, 2021, 08:25:07 am

Thanks binaryanomaly for the explanation, and I think it's better to have just one set of those rules rather than duplicate them in both LAN and WAN as I did following this article: https://docs.opnsense.org/manual/how-tos/edrop.html

I wonder why the official documentation doesn't mention this other option too...

Title: Re: Blocking malicious IPs with OPNsense and blacklists
Post by: binaryanomaly on August 12, 2021, 08:48:15 pm

Quote from: hushcoden on August 12, 2021, 08:25:07 am

I wonder why the official documentation doesn't mention this other option too...

I think the official documentation does not get updated too often.
(Updating it is also not as simple and straightforward as with modern wysiwyg wikis.)

Title: Re: Blocking malicious IPs with OPNsense and blacklists
Post by: hushcoden on November 01, 2021, 05:33:56 pm

Sorry, me again, I'm trying to understand how those floating rules work and I'm still confused, i.e. from what I understood from the article and your response, that floating rule blocks any attempt from a LAN client to connect to any of the malicious IPs, am I right?

If so, why we need direction to 'any' and not just 'in' ?

What if I also want to block any attempt from any of those malicious IPs (defined in the alias) to attempt to connect to a LAN client ?
From your response I take it we need to add another rule?

Tia.

Title: Re: Blocking malicious IPs with OPNsense and blacklists
Post by: binaryanomaly on November 01, 2021, 08:26:39 pm

Hi,

The rule blocks any connections where the destination is one of the IPs in the blacklist.

You would need another rule to block any connections where the source is one of the IPs in the blacklist.
But most setups do not allow incoming traffic from the WAN interface anyway so this is kinda obsolete.

You're right, the any for the direction may not even be required but I just didn't bother since any works just fine as well.

-b